private Session[] GetSessionsFromPackets(ref PacketCaptureImport.PacketCounts pcCounts, Dictionary <string, TCPStream> dictTCPConns) { //FiddlerApplication.get_Log().LogFormat("PACKET COUNTER\n\n{0}\n", new object[] //{ // pcCounts //}); if (pcCounts.IPv4 + pcCounts.IPv6 < 1u) { string text = "No IPv4 or IPv6 traffic was found in this capture."; if (this.loadedFileType == PacketCaptureImport.FileType.CAP) { text += "\n\nIf this capture was collected using Message Analyzer, please instead use its 'Link Local' capture mode instead of 'Firewall' mode."; } if (!PacketCaptureImport.bSilent) { Console.WriteLine(String.Format(text, "No traffic found")); } return(null); } if (PacketCaptureImport.evtOnProgress != null) { ProgressCallbackEventArgs progressCallbackEventArgs = new ProgressCallbackEventArgs(0.4f, "Finished processing raw packets..."); PacketCaptureImport.evtOnProgress(null, progressCallbackEventArgs); if (progressCallbackEventArgs.Cancel == true) { return(null); } } PacketCaptureImport._PairTCPStreams(dictTCPConns); if (PacketCaptureImport.evtOnProgress != null) { ProgressCallbackEventArgs progressCallbackEventArgs2 = new ProgressCallbackEventArgs(0.6f, "Finished assembling streams..."); PacketCaptureImport.evtOnProgress(null, progressCallbackEventArgs2); if (progressCallbackEventArgs2.Cancel == true) { return(null); } } return(PacketCaptureImport._DumpTCPTraffic(dictTCPConns)); }
private Session[] GetSessionsFromNetMonCAP(BinaryReader rdr, uint uiMagic) { NetMonFileHeader netMonFileHeader = NetMonFileHeader.CreateFromReader(rdr, uiMagic); uint[] frameOffsets = netMonFileHeader.GetFrameOffsets(rdr); PacketCaptureImport.PacketCounts packetCounts = default(PacketCaptureImport.PacketCounts); Dictionary <uint, DNSTransaction> dictionary = new Dictionary <uint, DNSTransaction>(); Dictionary <string, TCPStream> dictionary2 = new Dictionary <string, TCPStream>(); uint num = 0u; while ((ulong)num < (ulong)((long)frameOffsets.Length)) { packetCounts.Total += 1u; rdr.BaseStream.Position = (long)((ulong)frameOffsets[(int)((UIntPtr)num)]); NetmonPacketHeader netmonPacketHeader = NetmonPacketHeader.CreateFromReader(rdr, netMonFileHeader.dtCapture); if (netmonPacketHeader.MediaType != MediaTypes.Ethernet && netmonPacketHeader.MediaType != MediaTypes.WFPCapture_Message2V4) { if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("Skipping frame {0} with MediaType: 0x{1:x}", new object[] //{ // num, // netmonPacketHeader.MediaType //}); } } else { byte[] array = new byte[netmonPacketHeader.PacketSavedSize]; rdr.BaseStream.Position = (long)((ulong)(frameOffsets[(int)((UIntPtr)num)] + 16u)); rdr.BaseStream.Read(array, 0, array.Length); IPFrame iPFrame; if (netmonPacketHeader.MediaType == MediaTypes.WFPCapture_Message2V4) { iPFrame = IPFrame.FakeAsIPFrame(num, array, netmonPacketHeader.dtPacket); } else { iPFrame = IPFrame.ParseAsIPFrame(num, array, netmonPacketHeader.dtPacket); } if (iPFrame != null) { if (iPFrame.IPVersion == 4) { packetCounts.IPv4 += 1u; } else { if (iPFrame.IPVersion == 6) { packetCounts.IPv6 += 1u; } } if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("Adding frame {0} - {1}", new object[] //{ // num, // iPFrame.ToString() //}); } IPSubProtocols nextProtocol = iPFrame.NextProtocol; if (nextProtocol != IPSubProtocols.TCP) { if (nextProtocol != IPSubProtocols.UDP) { if (nextProtocol == IPSubProtocols.ESP) { if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("ESP Frame #{0} skipped; parsing NYI", new object[] //{ // iPFrame.iFrameNumber //}); } } } else { UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array); packetCounts.UDP += 1u; if (WellKnownPorts.DNS == uDPMessage.DstPort) { DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array); if (dNSQuery.QueryType == DNSQueryType.AddressQuery) { DNSTransaction dNSTransaction; if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction)) { dNSTransaction = new DNSTransaction(); dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction); } dNSTransaction.uiTransactionID = dNSQuery.uiTransactionID; dNSTransaction.sQueryForHostname = dNSQuery.sHostname; dNSTransaction.bAAAAQuery = (dNSQuery.QueryType == DNSQueryType.AAAA); dNSTransaction.dtQuerySent = netmonPacketHeader.dtPacket; } } else { if (WellKnownPorts.DNS == uDPMessage.SrcPort) { DNSResponse dNSResponse = DNSResponse.Parse(iPFrame, array); DNSTransaction dNSTransaction2; if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2)) { dNSTransaction2.dtResponseReceived = netmonPacketHeader.dtPacket; } } } } } else { TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array); if (tCPFrame != null) { packetCounts.TCP += 1u; TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort); string key = tCPEndpoints.ToString(); TCPStream tCPStream; if (!dictionary2.TryGetValue(key, out tCPStream)) { tCPStream = new TCPStream(tCPEndpoints); uint processTableIndex = netmonPacketHeader.ProcessTableIndex; if ((ulong)processTableIndex < (ulong)((long)netMonFileHeader.arrProcesses.Length)) { tCPStream.sProcessInfo = netMonFileHeader.arrProcesses[(int)((UIntPtr)processTableIndex)]; } dictionary2.Add(key, tCPStream); } tCPStream.AddFrame(tCPFrame); } } } } num += 1u; } return(this.GetSessionsFromPackets(ref packetCounts, dictionary2)); }
private Session[] GetSessionsFromPCAPNG(BinaryReader rdr, uint uiMagic) { PCAPNGFileHeader pCAPNGFileHeader = PCAPNGFileHeader.CreateFromReader(rdr, uiMagic); if (pCAPNGFileHeader.ByteOrderMagic != 439041101u) { Console.WriteLine(String.Format("Sorry, this format is not yet supported. Please contact support.", "Unsupported Byte-Order")); return(null); } if (pCAPNGFileHeader.SectionHeaderLength != pCAPNGFileHeader.RepeatedHeaderLength) { Console.WriteLine(String.Format("Sorry, this file appears to be corrupt. HeaderLength != TrailingHeaderLength. Please contact support.", "File Corrupt")); return(null); } //Console.WriteLine(String.Format("Importing PCAPNG:\n{0}", pCAPNGFileHeader); PacketCaptureImport.PacketCounts packetCounts = default(PacketCaptureImport.PacketCounts); Dictionary <uint, DNSTransaction> dictionary = new Dictionary <uint, DNSTransaction>(); Dictionary <string, TCPStream> dictionary2 = new Dictionary <string, TCPStream>(); long length = rdr.BaseStream.Length; bool flag = false; while (!flag && rdr.BaseStream.Position + 8L <= length) { PCAPNGBlockHeader pCAPNGBlockHeader = PCAPNGBlockHeader.CreateFromReader(rdr); PCAPNGBlockType uiBlockType = pCAPNGBlockHeader.uiBlockType; if (uiBlockType != PCAPNGBlockType.InterfaceDescriptionBlock) { if (uiBlockType != PCAPNGBlockType.EnhancedPacketBlock) { //FiddlerApplication.get_Log().LogString(pCAPNGBlockHeader.ToString()); rdr.ReadBytes((int)(pCAPNGBlockHeader.uiBlockLength - 8u)); } else { packetCounts.Total += 1u; PCAPNGEnhancedPacketHeader pCAPNGEnhancedPacketHeader = PCAPNGEnhancedPacketHeader.CreateFromReader(rdr); if (pCAPNGEnhancedPacketHeader.PacketOriginalSize != pCAPNGEnhancedPacketHeader.PacketSavedSize) { //FiddlerApplication.get_Log().LogFormat("! WARNING: Packet was not stored completely. Stored only {0}/{1} bytes", new object[] //{ // pCAPNGEnhancedPacketHeader.PacketSavedSize, // pCAPNGEnhancedPacketHeader.PacketOriginalSize //}); } byte[] array = rdr.ReadBytes((int)pCAPNGEnhancedPacketHeader.PacketSavedSize); if ((long)array.Length != (long)((ulong)pCAPNGEnhancedPacketHeader.PacketSavedSize)) { //FiddlerApplication.get_Log().LogFormat("! WARNING: File was incomplete. Last frame stored only {0}/{1} bytes", new object[] //{ // array.Length, // pCAPNGEnhancedPacketHeader.PacketSavedSize //}); flag = true; } else { IPFrame iPFrame = IPFrame.ParseAsIPFrame(packetCounts.Total, array, pCAPNGEnhancedPacketHeader.dtPacket); if (iPFrame == null) { rdr.ReadBytes((int)((ulong)(pCAPNGBlockHeader.uiBlockLength - 28u) - (ulong)((long)pCAPNGEnhancedPacketHeader.PacketSavedSize))); } else { if (iPFrame.IPVersion == 4) { packetCounts.IPv4 += 1u; } else { if (iPFrame.IPVersion == 6) { packetCounts.IPv6 += 1u; } } IPSubProtocols nextProtocol = iPFrame.NextProtocol; if (nextProtocol != IPSubProtocols.TCP) { if (nextProtocol != IPSubProtocols.UDP) { if (nextProtocol == IPSubProtocols.ESP) { if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("ESP Frame #{0} skipped; parsing NYI", new object[] //{ // iPFrame.iFrameNumber //}); } } } else { UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array); packetCounts.UDP += 1u; if (WellKnownPorts.DNS == uDPMessage.DstPort) { DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array); if (dNSQuery.QueryType == DNSQueryType.AddressQuery) { DNSTransaction dNSTransaction; if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction)) { dNSTransaction = new DNSTransaction(); dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction); } dNSTransaction.uiTransactionID = dNSQuery.uiTransactionID; dNSTransaction.sQueryForHostname = dNSQuery.sHostname; dNSTransaction.bAAAAQuery = (dNSQuery.QueryType == DNSQueryType.AAAA); dNSTransaction.dtQuerySent = pCAPNGEnhancedPacketHeader.dtPacket; } } else { if (WellKnownPorts.DNS == uDPMessage.SrcPort) { DNSResponse dNSResponse = DNSResponse.Parse(iPFrame, array); DNSTransaction dNSTransaction2; if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2)) { dNSTransaction2.dtResponseReceived = pCAPNGEnhancedPacketHeader.dtPacket; } } } } } else { TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array); if (tCPFrame == null) { continue; } packetCounts.TCP += 1u; TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort); string key = tCPEndpoints.ToString(); TCPStream tCPStream; if (!dictionary2.TryGetValue(key, out tCPStream)) { tCPStream = new TCPStream(tCPEndpoints); dictionary2.Add(key, tCPStream); } tCPStream.AddFrame(tCPFrame); } int count = (int)((ulong)(pCAPNGBlockHeader.uiBlockLength - 28u) - (ulong)((long)pCAPNGEnhancedPacketHeader.PacketSavedSize)); rdr.ReadBytes(count); } } } } else { //FiddlerApplication.get_Log().LogString(pCAPNGBlockHeader.ToString()); rdr.ReadBytes((int)(pCAPNGBlockHeader.uiBlockLength - 8u)); } } return(this.GetSessionsFromPackets(ref packetCounts, dictionary2)); }
private Session[] GetSessionsFromPCAP(BinaryReader rdr, uint uiMagic) { PCAPFileHeader pCAPFileHeader = PCAPFileHeader.CreateFromReader(rdr, uiMagic); if (pCAPFileHeader.IsByteOrderSwapped && !PacketCaptureImport.bSilent) { Console.WriteLine(String.Format("Warning: Byte order swapped. Import will fail!", "FILE FORMAT WARNING")); } if (pCAPFileHeader.LinkType != 1u && !PacketCaptureImport.bSilent) { Console.WriteLine(String.Format("Warning: Link Type is not Ethernet. Import likely to fail!", "FILE FORMAT WARNING")); } //Console.WriteLine(String.Format("Importing PCAP:\n{0}", pCAPFileHeader)); PacketCaptureImport.PacketCounts packetCounts = default(PacketCaptureImport.PacketCounts); Dictionary <uint, DNSTransaction> dictionary = new Dictionary <uint, DNSTransaction>(); Dictionary <string, TCPStream> dictionary2 = new Dictionary <string, TCPStream>(); long length = rdr.BaseStream.Length; bool flag = false; //Console.WriteLine(String.Format("length #{0}\n", length)); while (!flag && rdr.BaseStream.Position + 16L <= length) { packetCounts.Total += 1u; //Console.WriteLine(String.Format("packetCounts.Total : {0}", packetCounts.Total)); PCAPPacketHeader pCAPPacketHeader = PCAPPacketHeader.CreateFromReader(rdr); if (14u > pCAPPacketHeader.PacketSavedSize) { //Console.WriteLine("14u > pCAPPacketHeader.PacketSavedSize"); rdr.BaseStream.Position += (long)pCAPPacketHeader.PacketSavedSize; } else { if (pCAPPacketHeader.PacketOriginalSize != pCAPPacketHeader.PacketSavedSize) { Console.WriteLine(String.Format("! WARNING: Packet{0} was not stored completely. Stored only {1}/{2} bytes", packetCounts.Total, pCAPPacketHeader.PacketSavedSize, pCAPPacketHeader.PacketOriginalSize)); } byte[] array = rdr.ReadBytes((int)pCAPPacketHeader.PacketSavedSize); //hidd3ncodes: Trying to skip this packet. if (pCAPPacketHeader.PacketOriginalSize != pCAPPacketHeader.PacketSavedSize) { continue; } if ((long)array.Length != (long)((ulong)pCAPPacketHeader.PacketSavedSize)) { Console.WriteLine(String.Format("! WARNING: File was incomplete. Last frame stored only {0}/{1} bytes", array.Length, pCAPPacketHeader.PacketSavedSize)); flag = true; } else { IPFrame iPFrame = IPFrame.ParseAsIPFrame(packetCounts.Total, array, pCAPPacketHeader.dtPacket); if (iPFrame != null) { if (iPFrame.IPVersion == 4) { packetCounts.IPv4 += 1u; } else { if (iPFrame.IPVersion == 6) { packetCounts.IPv6 += 1u; } } IPSubProtocols nextProtocol = iPFrame.NextProtocol; if (nextProtocol != IPSubProtocols.TCP) { if (nextProtocol != IPSubProtocols.UDP) { if (nextProtocol == IPSubProtocols.ESP) { //if (PacketCaptureImport.bVerboseDebug) //{ Console.WriteLine(String.Format("ESP Frame #{0} skipped; parsing NYI", iPFrame.iFrameNumber)); //} } } else { UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array); packetCounts.UDP += 1u; if (WellKnownPorts.DNS == uDPMessage.DstPort) { DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array); if (dNSQuery.QueryType == DNSQueryType.AddressQuery) { DNSTransaction dNSTransaction; if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction)) { dNSTransaction = new DNSTransaction(); dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction); } dNSTransaction.uiTransactionID = dNSQuery.uiTransactionID; dNSTransaction.sQueryForHostname = dNSQuery.sHostname; dNSTransaction.bAAAAQuery = (dNSQuery.QueryType == DNSQueryType.AAAA); dNSTransaction.dtQuerySent = pCAPPacketHeader.dtPacket; } } else { if (WellKnownPorts.DNS == uDPMessage.SrcPort) { DNSResponse dNSResponse = DNSResponse.Parse(iPFrame, array); DNSTransaction dNSTransaction2; if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2)) { dNSTransaction2.dtResponseReceived = pCAPPacketHeader.dtPacket; } } } } } else { TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array); //Console.WriteLine(String.Format("I am here", length)); if (tCPFrame != null) { packetCounts.TCP += 1u; TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort); string key = tCPEndpoints.ToString(); TCPStream tCPStream; if (!dictionary2.TryGetValue(key, out tCPStream)) { tCPStream = new TCPStream(tCPEndpoints); dictionary2.Add(key, tCPStream); } tCPStream.AddFrame(tCPFrame); } } } } } //Console.WriteLine(String.Format("Flag #{0}", flag)); //Console.WriteLine(String.Format("rdr.BaseStream.Position #{0}", rdr.BaseStream.Position)); } return(this.GetSessionsFromPackets(ref packetCounts, dictionary2)); }